Description
Cross Site Scripting (XSS) Vulnerability in Flusity-CMS v2.4 allows a local attacker to execute arbitrary code via a crafted payload to the Gallery Name field in the tools/addons_model.php component. This vulnerability was tested on localhost and it has been assigned the CVE identifier: CVE-2024-27757.
Proof of Concept (PoC)
Payload
<script>alert(1);</script>
<script>alert(document.cookie);</script>
Impact
Attackers can inject HTML or JavaScript codes that reflect at anyone who visits the page.
Fix
Unfortunately, there will not be any official fix or patch for this vulnerability as the author of Flusity CMS has ceased its development as of February 2024.
Remarks
Discovered and reported by Jubilian Ho Hong Yi
Description
Cross Site Scripting (XSS) Vulnerability in Flusity-CMS v2.4 allows a local attacker to execute arbitrary code via a crafted payload to the Gallery Name field in the tools/addons_model.php component. This vulnerability was tested on localhost and it has been assigned the CVE identifier: CVE-2024-27757.
Proof of Concept (PoC)
Payload
Impact
Attackers can inject HTML or JavaScript codes that reflect at anyone who visits the page.
Fix
Unfortunately, there will not be any official fix or patch for this vulnerability as the author of Flusity CMS has ceased its development as of February 2024.
Remarks
Discovered and reported by Jubilian Ho Hong Yi